Re: [OAUTH-WG] Refresh tokens security enhancement

Torsten Lodderstedt <> Tue, 04 May 2010 18:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D09283A6CCA for <>; Tue, 4 May 2010 11:36:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.54
X-Spam-Status: No, score=-0.54 tagged_above=-999 required=5 tests=[AWL=-0.891, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fJQcUUKC8gcx for <>; Tue, 4 May 2010 11:36:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3753B3A6D00 for <>; Tue, 4 May 2010 11:32:34 -0700 (PDT)
Received: from ([] helo=[]) by with esmtpa (Exim 4.68) (envelope-from <>) id 1O9Mup-0000Fy-IN; Tue, 04 May 2010 20:32:19 +0200
Message-ID: <>
Date: Tue, 04 May 2010 20:32:17 +0200
From: Torsten Lodderstedt <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv: Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Allen Tom <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: "OAuth WG \(\)" <>
Subject: Re: [OAUTH-WG] Refresh tokens security enhancement
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 May 2010 18:36:57 -0000

Hi Allen,

Am 03.05.2010 18:55, schrieb Allen Tom:
> Hi Torsten,
> Thanks for posting this idea - I think that issuing a new Refresh Token (and
> invalidating the old one) on every refresh request would help detect token
> theft.
> HOWEVER - in practice, this mechanism could make implementations very
> tricky. For example, some  applications are highly distributed, with each
> instance (or component) having its own copy of the Refresh Token. Keeping
> the Refresh Token in sync would not really be feasible for these types of
> apps.

You are right, this approach might make implementing a client more 
difficult, especially clustered web applications.
That's not the case for autonomous devices (gaming consoles, mobile 
phones e.t.c) where the application
architecture will typically be much simpler. On the other hand, these 
are exactly the clients where the current
version of the specification does not contain any countermeasure against 
token theft.

> Invalidating the Refresh Token (and presumably also invalidating any
> outstanding Access Tokens) would make sense as an option for applications
> that require a high level of security. However, I do not think that
> invalidating the Refresh Token on every Refresh request should be required
> in the spec - it should be an implementation specific detail.

It could be an optional feature of the spec (as many other features). An 
authorization server could decide
when to use it based on its policy. For example, the authorization 
server could make this decision
depend on client type (mobile vs. web application), client id, or target 
service (security level).

The definition could be as follows

          OPTIONAL.  A new refresh token replacing the refresh_token 
used as input parameter.
          If set, the client must use this token for the next "refresh" 
request. The former refresh
          token has been invalidated by the authorization server.

The benefit of making it an (optional) spec feature is support by 
libraries, standard service and
applications. From my point of view, OAuth2 has the potential to become 
THE standard for
securing standard protocols like IMAP, SyncML, SIP, WebDav and many 
others. Every feature
defined by the standard is most likely supported by standard clients and 
servers. So depending
on the authorization servers policy, all of this clients could be 
secured with the proposed

> At Yahoo, we've used the Refresh Flow for all of our proprietary
> authorization APIs for many years, and I know of several applications which
> would break if the Refresh Token (and Access Token) were invalidated on
> every refresh request. Off the top of my head, I know of server based apps,
> mobile apps, and desktop apps which are composed of several components which
> asynchronously and independently keep their own copies of the user's
> credentials.

As I said, it could be an optional feature, which offers out of the box 
token theft prevention. Every
deployment can decide to use it or not.

The proposed change is small in terms of specification but we could 
demonstrate that OAuth is also
suited for applications with a higher level of security.


> Thanks
> Allen
> On 5/2/10 10:48 AM, "Torsten Lodderstedt"<>  wrote:
>> We came up with the following idea:
>> The authorization server automatically creates a new refresh token with
>> every "refresh" request (section 4) and invalidated the previous refresh
>> token. The client must use this new token for the next "refresh"
>> request. All attempts to obtain access tokens with an invalidated
>> refresh token are refused. Additionally, the authorization server should
>> hold a history of when the refresh token has been used. The client
>> application behavior depends on who uses the refresh token first after
>> it has been stolen.